Study Reveals ConnectWise ScreenConnect Vulnerabilities Exploitation and Risks of Second Attack on Victims That Pay Ransoms

by

Vulnerabilities discovered in the remote desktop program ConnectWise ScreenConnect are being taken advantage of to have an assortment of various malicious payloads into company environments. ConnectWise first announced the vulnerabilities on February 13, 2024. Then, attacks aimed at the vulnerabilities began one day after the launch of patches. One vulnerability, CVE-2024-1709, is an authentication bypass vulnerability with a CVSS severity score of 10. Vulnerability CVE-2024-1708 with a CVSS severity rating of 8.4 is regarded as a high-severity path traversal vulnerability.

Because of the extent of the flaws and the high probability of exploitation, ConnectWise told admins to update their on-premise servers to the fixed model quickly. Proof-of-concept (PoC) exploits were shared right after the disclosure and 24 hours after the availability of the emergency patches, hackers commenced exploiting the vulnerabilities. According to Palo Alto Networks, approximately 18,000 IP addresses are having ScreenConnect, though, since February 20, 2023, the ShadowServer Foundation says that many were updated. Since February 20, 2024, close to 3,800 ScreenConnect connect servers continued to be exposed.

As per Huntress’ researchers, a request may be delivered to a vulnerable ScreenConnect server that will allow the setup wizard to be employed, though ScreenConnect was already configured, which makes it possible for an attacker to set up a new admin account and control the ScreenConnect instance. The CVE-2024-1709 vulnerability has been included in the Known Exploited Vulnerability Catalog by the Cybersecurity and Infrastructure Security Agency on February 22, 2024.

The vulnerabilities impact ScreenConnect servers operating version 23.9.7 and prior. ConnectWise has reported that it has protected all hostedrmm.com or screenconnect.com clouds. On-premise clients should upgrade to ConnectWise ScreenConnect 23.9.8 to avoid exploitation of the vulnerabilities.

Many Paying Ransomware Victims Experience a Second Attack

Giving a ransom payment may help retrieve encrypted files as attackers often delete stolen information from data leak sites, however paying victims frequently get a second attack. These might be attacks carried out by the same threat actor or some other ransomware group.

These double ransomware attacks are very prevalent. As per new research performed by the cybersecurity agency Cybereason, 56% of businesses surveyed have encountered not just one ransomware attack, and 78% of establishments that paid a ransom experienced a second attack. For the second ransomware attack, 63% were demanded to pay much more. Out of the 78% of companies that experienced a second attack, 36% stated the attack was done by the same attacker and 42% were done by another attacker.

The survey affirmed the challenges of ransom payments. Just 47% of businesses that decide to make ransom payments got back their files, with the others stating they either could not get back their files or that their files were corrupted. Numerous ransomware attack victims opt to pay a ransom to stop the publishing of the stolen data. Though ransomware groups generally delete stolen files from their data leak websites after getting ransom payment, there is no assurance that the records will be erased. That data is precious and can quickly be offered for sale to another attacker, therefore there is little motivation to erase it.

The risk of data exposure is one of the major reasons why victims pay ransoms, nevertheless, various factors make attacked companies pay up, like lacking backup data, the long time it takes to recover when no ransom is paid, fear of losing enterprise, and insufficient staff members to take care of the attack.

Of the 1,000 companies surveyed, 84% mentioned they gave a ransom payment after being attacked and that the average required ransom was $1.4 million. No matter if the ransom is paid, the losses could be significant. 46% of businesses that encountered an attack stated their losses were from $1 million, and $10 million, and 16% stated they lost over $10 million.

These are the typical initial access vectors in attacks:

  • 22% are malicious insiders
  • 24% are direct attacks
  • 41% are supply chain compromises

The survey likewise reveals that a lot of ransomware gangs are taking their time to breach a big part of the network as they can. They steal substantial amounts of information and just use ransomware when they think they can ask for big payments. 56% of victims mentioned the attackers were within their systems from 3 to 12 months before using ransomware.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone